Protecting your Public Cloud after Meltdown and Spectre

In early January, researchers unveiled several major security vulnerabilities. Dubbed Meltdown and Spectre, these two vulnerabilities pertained to a hardware flaw in CPUs, including Intel, Qualcomm, and ARM processors. Through a complicated series of exploits targeting “speculative execution,” an optimization technique used in most modern CPUs, attackers could gain access data currently being processed on the computer. This might include passwords or business-critical information. For more information on how these vulnerabilities might be exploited, read the following:

Since these vulnerabilities can access data processed by other applications on the same physical machine, the potential consequences are particularly great in the cloud, where a single appliance could host data and processes from numerous different client organizations.

Now it is important to say that patches have already been issued to address these vulnerabilities by Amazon Web Services (AWS), Google Cloud Platform, and Microsoft Azure. However, you should still take steps to ensure all of your instance operating systems are properly patched. As of now, there is no way to know if either of these vulnerabilities were abused in the wild, but security practitioners still need to do their due diligence and ensure they are protected.

What you can do to protect your cloud infrastructure

As I mentioned earlier, patches have been rolled out across all major cloud infrastructure providers, but you still need to ensure your instance operating systems are patched as well.

Of course, if an attacker had foreknowledge of this vulnerability and actively exploited before it was patched, you will need to keep a close eye on your systems. The major risk is access credential compromise. Privileged memory access means an attacker could use this vulnerability to steal access credentials, which could then be used to compromise your cloud services.

You should make sure all of your cloud user accounts have multi-factor authentication enabled and have changed their passwords since the vulnerability was patched. In addition, you should monitor cloud access for abnormal and suspicious activity, such as a user logging in from unusual geographies. For instance, your US-based network admin logging in from Eastern Europe hours after logging in from Los Angeles is probably a sign of credential abuse. Also, look for unusual communications, such as an abnormally large transfer to an unknown server, which could be indicative of data exfiltration.

How Cisco can help

Cisco Stealthwatch Cloud can help you identify suspicious activities in your public cloud infrastructure. Stealthwatch Cloud monitors your public cloud environments using native telemetry, such as VPC Flow Logs. It then analyzes this data using sophisticated modeling and machine learning techniques to identify suspicious and malicious activities. And Stealthwatch Cloud does all this with minimal configuration and management – it works out of the box.

Most threats operate in similar ways, regardless of the initial attack vector. Stealthwatch Cloud was built to detect these activities to identify both current and future threats. These potentially malicious activities include geographically unusual remote access, abnormally large data transfers, users who disable multi-factor authentication, new connections to unusual servers, and much more. In short, Stealthwatch Cloud ensures you see the signs of an attack, regardless of the exploit used to initiate it.

Try Stealthwatch Cloud today for free

While it remains to be seen if anyone has fallen victim to a Spectre- or Meltdown-based attack, there are numerous methods threat actors can use to target cloud workloads. If you are worried about attacks targeting your public cloud assets, you can try Stealthwatch Cloud free with no risk for 60 days. Click here to get started.

We'd love to hear from you! To earn points and badges for participating in the conversation, join Cisco Social Rewards. Your comment(s) will appear instantly on the live site. Spam, promotional and derogatory comments will be removed and HTML formatting will not appear.

All comments in this blog are held for moderation. Your comment will not display until it has been approved

Some of the individuals posting to this site, including the moderators, work for Cisco Systems. Opinions expressed here and in any corresponding comments are the personal opinions of the original authors, not of Cisco. The content is provided for informational purposes only and is not meant to be an endorsement or representation by Cisco or any other party. This site is available to the public. No information you consider confidential should be posted to this site. By posting you agree to be solely responsible for the content of all information you contribute, link to, or otherwise upload to the Website and release Cisco from any liability related to your use of the Website. You also grant to Cisco a worldwide, perpetual, irrevocable, royalty-free and fully-paid, transferable (including rights to sublicense) right to exercise all copyright, publicity, and moral rights with respect to any original content you provide. The comments are moderated. Comments will appear as soon as they are approved by the moderator.